In progress checkpoint. Things are starting to work.

2025-10-15 04:58:21 +00:00 · 2013-07-27 08:10:08 -04:00 · 2013-07-27 08:10:08 -04:00 · 7ba51786e5
commit 7ba51786e5
parent 1e098bae8d
8 changed files with 284 additions and 6 deletions
--- a/src/file_analysis/analyzer/CMakeLists.txt
+++ b/src/file_analysis/analyzer/CMakeLists.txt
@ -1,3 +1,4 @@
 add_subdirectory(data_event)
 add_subdirectory(extract)
 add_subdirectory(hash)
+add_subdirectory(pe)
--- a/src/file_analysis/analyzer/pe/CMakeLists.txt
+++ b/src/file_analysis/analyzer/pe/CMakeLists.txt
@ -0,0 +1,10 @@
+include(BroPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}
+                           ${CMAKE_CURRENT_BINARY_DIR})
+
+bro_plugin_begin(Bro PE)
+bro_plugin_cc(PE.cc Plugin.cc)
+bro_plugin_bif(events.bif)
+bro_plugin_pac(pe.pac pe-file.pac pe-analyzer.pac)
+bro_plugin_end()
--- a/src/file_analysis/analyzer/pe/Plugin.cc
+++ b/src/file_analysis/analyzer/pe/Plugin.cc
@ -0,0 +1,29 @@
+#include "plugin/Plugin.h"
+#include "file_analysis/Component.h"
+
+#include "PE.h"
+
+namespace plugin { namespace Bro_PE {
+
+class Plugin : public plugin::Plugin {
+protected:
+	void InitPreScript()
+		{
+		SetName("Bro::PE");
+		SetVersion(-1);
+		SetAPIVersion(BRO_PLUGIN_API_VERSION);
+		SetDynamicPlugin(false);
+
+		SetDescription("Portable Executable analyzer");
+
+		AddComponent(new ::file_analysis::Component("PE",
+		        ::file_analysis::PE::Instantiate));
+
+		extern std::list<std::pair<const char*, int> > __bif_events_init();
+		AddBifInitFunction(&__bif_events_init);
+		}
+};
+
+Plugin __plugin;
+
+} }
--- a/src/file_analysis/analyzer/pe/pe-analyzer.pac
+++ b/src/file_analysis/analyzer/pe/pe-analyzer.pac
@ -3,6 +3,7 @@
 #include "Event.h"
 #include "file_analysis/File.h"
 #include "file_analysis.bif.func_h"
+#include "events.bif.h"
 %}

 refine flow File += {
@ -52,7 +53,7 @@ refine flow File += {
 			dh->Assign(15, new Val(${h.OEMinfo}, TYPE_COUNT));
 			dh->Assign(16, new Val(${h.AddressOfNewExeHeader}, TYPE_COUNT));

-			BifEvent::generate_pe_dos_header((Analyzer *) connection()->bro_analyzer(), 
+			BifEvent::generate_pe_dos_header((analyzer::Analyzer *) connection()->bro_analyzer(), 
 			                                 connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
 			                                 dh);
 			}
@ -63,7 +64,7 @@ refine flow File += {
 		%{
 		if ( pe_dos_code )
 			{
-			BifEvent::generate_pe_dos_code((Analyzer *) connection()->bro_analyzer(), 
+			BifEvent::generate_pe_dos_code((analyzer::Analyzer *) connection()->bro_analyzer(), 
 			                               connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
 			                               new StringVal(code.length(), (const char*) code.data()));
 			}
@ -90,7 +91,7 @@ refine flow File += {
 			fh->Assign(2, new Val(${h.PointerToSymbolTable}, TYPE_COUNT));
 			fh->Assign(3, new Val(${h.NumberOfSymbols}, TYPE_COUNT));
 			fh->Assign(4, characteristics_to_bro(${h.Characteristics}, 16));
-			BifEvent::generate_pe_file_header((Analyzer *) connection()->bro_analyzer(), 
+			BifEvent::generate_pe_file_header((analyzer::Analyzer *) connection()->bro_analyzer(), 
 			                                  connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
 			                                  fh);
 			}
@ -138,7 +139,7 @@ refine flow File += {
 			oh->Assign(23, characteristics_to_bro(${h.dll_characteristics}, 16));
 			oh->Assign(24, new Val(${h.loader_flags}, TYPE_COUNT));
 			oh->Assign(25, new Val(${h.number_of_rva_and_sizes}, TYPE_COUNT));
-			BifEvent::generate_pe_optional_header((Analyzer *) connection()->bro_analyzer(), 
+			BifEvent::generate_pe_optional_header((analyzer::Analyzer *) connection()->bro_analyzer(), 
 			                                      connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
 			                                      oh);
 			}
@ -170,7 +171,7 @@ refine flow File += {
 			section_header->Assign(8, new Val(${h.non_used_num_of_line_nums}, TYPE_COUNT));
 			section_header->Assign(9, characteristics_to_bro(${h.characteristics}, 32));

-			BifEvent::generate_pe_section_header((Analyzer *) connection()->bro_analyzer(), 
+			BifEvent::generate_pe_section_header((analyzer::Analyzer *) connection()->bro_analyzer(), 
 			                                     connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
 			                                     section_header);
 			}
--- a/src/file_analysis/analyzer/pe/pe-file.pac
+++ b/src/file_analysis/analyzer/pe/pe-file.pac
@ -1,5 +1,5 @@

-type TheFile(part: uint8) = record {
+type TheFile = record {
 	dos_header      : DOS_Header;
 	dos_code        : DOS_Code(dos_code_len);
 	pe_header       : IMAGE_NT_HEADERS;